business risk
iStock_guvendemir_business risk

How Audit Committees Can Keep Third-Party Risk in Check

Mar 14th 2016
Share this content

Headache time, internal audit. The business partners, suppliers, distributors, contractors, and service providers – all of the so-called third parties that help many organizations function – carry risks that internal audit, and subsequently audit committees, typically are expected to assess.

And these third parties may have their own third-party relationships that extend the risks even further. They also may be outside the United States, operating under different laws and business ethics.

The latest Audit Committee Excellence Series report from PwC, Oversight of Third-Party Risks, offers insight into assessment issues and best practices to evaluating these risks. It probably comes as no surprise that handling and assessing third-party risks often falls to internal audit, which, in turn, comes under the audit committee’s purview.

The reason that these partners, suppliers, distributors, contractors, and service providers are so important is that their risk comes under categories like bribery, environmental concerns, health and safety, and labor laws. And those areas, the report notes, may not be completely covered by “conventional” internal controls or however a particular organization assesses its risks.

What’s more, a key issue unifies these risks: The third parties are governed by contracts. Those contracts outline the obligations, risks, and recourse of everyone involved. And they should come under the overall internal-control system in an organization. Which means, of course, that the lawyers have to be involved.

The report makes special mention of the importance of legal review. “Evaluate whether company counsel is sufficiently engaged in the third-party risk control environment. And whether they comprehend the importance of their role,” the report states.

Internal audit or the audit committee should determine if the contracts provide for rights to security audits and notifications of breaches.

That’s because just about any company has some measure of risk involving third parties, the report notes, stating that “essentially, any organization that has access to your company’s IP or corporate network, provides IT infrastructure to the company, or is otherwise a participant in the company’s ‘value chain’ creates a third-party risk that needs to be managed in some way.”

Here’s a snapshot of what should be addressed:

  • Inventory third-party relationships.
  • The most significant third-party relationships should be given priority. Understand the role of internal audit in auditing these third parties as to risk, as well as fraud prevention and detection. Consider using fraud-monitoring software, the report states.
  • Assign a risk rating for each type of risk and an overall risk rating for each third party. For example, risks might include bribery, revenue, cybersecurity, environmental, piracy, or any other that is pertinent to a specific organization. Discuss if and why third parties are being used in “corruption hot spots,” the report states. Does the company know what critical information the third parties can access? Is access only to necessary information?
  • Figure out who in management is responsible for managing the risk. Does this person have appropriate visibility in the company to be the most effective? What’s his or her attitude about compliance? The report suggests exploring if the company exercises its rights to audit, terminate, and monitor compliance on an ongoing basis.
  • Who does that manager report to? The full board? The audit committee?
  • How frequently will reports be made about each third-party relationship?

As the report puts it, the risks never end. Not only do existing third-party relationships require routine reviews, new vendors and suppliers will come on board and company technology will change to create new relationships. And all of it may require change if mergers or acquisitions occur.


Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.